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1. Problem Overview 
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Why is software (re)certification hard? 


* Systems change, requirements evolve. 


- As changes occur, how do we determine how the changes 
affect security? 
+ Review, review, then review some more. 


* DIACAP, -RMF for IS and PIT systems mandates continuous 
review process... 
+ Reviews require time, expertise, manpower, money. 
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Step 6 
MONITOR 
‘Security Controls 


Determine impact of changes to the 
system and environment 

Assess selected controls annually 
Conduct needed remediation 
Update secunty plan, SAR and 
Report security status to AO 
AO reviews reported status 
Implement system decommission 
strategy 


Step 5 
AUTHORIZE 
‘System 


Prepare the POABM 
Submit Security Authorization 
Package (security plan, SAR and 
POASM) to AO 

AO conduets final risk 
determination 

‘AO makes authorization decision 


fegorize the system in 

jecordance with the CNSSI 1253 

Initiate the Security Plan 

+ Register system with DoD 
Component Cybersecurity Program 

+ Assign qualified personnel to RMF 
roles 


+ Apply overlays and tailor 


Step 2 
SELECT 
‘Security Controls 


‘Common Control identification 
Select security controls 

Develop system-level continuous 
monitoring strategy 

Review and approve the security 
plan and continuous monitoring 
strategy 


Step 3 
IMPLEMENT 
Security Controls 


implement control solutions 
consistent with OOD 
Component Cybersecurity 
architectures 

Document security control 
implementation in the 
secunty plan 


Step 2 Step 4 
SELECT 


ASSESS 
OSU Security Controls 


+ Develop and approve Security 


+ Common Control Identification 


+ Develop system-level continuous 
monitoring strategy 
+ Review and approve the security 


Assess security controls 
SCA prepares Security Assessment 


plan and continuous monitoring 


Report (SAR) 
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Assess, review, remediate... rinse, repeat... 


* Good in theory, but in practice? 
Everything is done manually; i.e. 


slowly. duality ~.-.entngengy coitely 
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* Cannot scale as complexity 


increases. assuran a 
“reliabilit 
risk Management faerie Y 

+ Mobile? Cloud-based platforms? 1a secu stiategy Ztontiuit yg 


+ Constant change. 
* Constantly increasing complexity. 
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What’s the risk? 


+ Fast and loose: data spills. 
* Quick and dirty, miss critical faults. 


* Slow and steady: lose agility. 
+ Must avoid review “backlog mission impossible”. 
+ Adversaries will roll out new systems faster than us. 


+ Can't just throw more experts at the problem... 
+ Brooks’ Law. 
+ Too many cooks! Increases accidental complexity. 
= “9 women can't make a baby in 1 month!” 
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What kind of solution is needed? 


+ Use automation. 

* Scale with evolving architectural assumptions. 

* Do analysis computationally. 

+ Focus on adding new features, let the analysis determine the impact. 


+ Result: Rapid analysis at recertification (or design) time. 


» Focus on the parts that commensurate with risk: 
+ Data. 
+ Secure enclave boundaries. 
+ Changes. 
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What parts do we focus on? 
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Technical Background 


+ Application Profile Language, model-checking. 
* Semantic parameterization (Breaux et al., 2008) 
+ Actions on data; actors, objects, purposes, source, destination. 


* Bell-LaPadula: high-, low-confidentiality. 

* Characterize the purpose; security level. 

+ Express compositions; logical subsumption. 
+ Containment 
+ Disjointness 


+ This forms the basis for our application profile language. SOFTWARE 
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Technical Background 


Write/Modify 
Application 
Profile 


Automated 
Analysis & 


Conflict 
Detection 
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Running Example 


Public accounts of real-world 
ship. 


Zumwalt-class destroyer. 


TSCE Infrastructure 
6 MLOC 


Focus on software requirements: 


« Sensory and information sharing 
capabilities. 
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* Application profiles 
+ Actions on data: 
* Collection 
+ Use 
+ Transfer 
» Traces: 
+ Collection-Use 
+ Collection-Transfer 
+ Vice-versa 


Approach 


Write/Modify 
Application 
Profile 
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Approach 


Automated 


* Conflict Detection Analysis & 


+ Policy may specify a Conflict 
Detection 


prohibition and a right on the 
same data, for the same 
purpose. 

+ Leads to conflict. 


SFr Ware 
RESEARCH 


D collected_radar_data < 
friendly _data, enemy_data, 
terrain_data 


USS Zumwalt 


Low 
Confidentiality 


Enemy Fleet Data 


Terrain Data 


Friendly Fleet 


Data Definitions (Profile’s Header) 


SPEC HEADER 
D collected_radar_data < frieng a, eneny_data, terrain data 


Automated 
Analysis & 
Conflict 
Detection 


Befinitions (Profile’s Policy) 


feet. FOR low_confidentiality 
0 friendly fleet FOR low confidentiality 


R_TRANSFER' fy data TO anyone FOR low confidentiality 
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1. Permit alection of callected radar data from Zumwalt’s radar system, designating ae hgh 


conden data 


3. Permit wansfrof al colectod radar data to ian let members fr general, low confidentlty 


purposes. This rule generates a conf, which explained below. 


‘Applcation Profs language 


‘Application Profle angiage 


Formalaton a besciption Lage 


P COLLECT collected_radar_aata FAOW 
rradan_systen FOR high confidentiality 


Tr py = COLLECT 7 ShasObject, 
collected radar data 


ShasSource. radar-system ° 


Formalation a Desciption Lage 
P TRANSFER collected radat_data TO]? + pz = TRANSFER " ThasObject 
Friendly. fleet FOR lou confidentiality | ce ed radar dete 

ShasTarget. friendly fleet 


ShasPurpose. low confidentiahty 


4, Permit transfer of data aout friendly vessels to 
confidentiality purposes. 


friendly eet members or speci high 


“Applation Profle language 


ShasPurpose. high confidentiality | [Appleation Poffe Language Formalaton a Desrpion Tag 
P TRANSFER Friendly_dats TO Fr ps = TRANSFER" hasObject 
2. Permit ransfrof data about enemy vessls to frend fleet members fer genera ow Friendly fleet FO friendly data 
confidently purposes. high confidentiality 


BhasTarget. friendly. lect 
Foralaton ta Descipion Cage ShasPurpose. high.confidentialty 
P TRANSFER enemy_cata TO T+ pr = TRANSFER" —IhasObject 
friendly Fleet FOR Low confidentiality | enemy data 5. Prohibit wansfer of riendly fet data to anyone fr general ow confidently purposes. Thisrule 
ShasTarget. radar system" onfets with Rule 3, explained botow. 
ShasPurpase. law.confidentality “Appleation Pofie Language Formaeation i Description Lie 
Rr TRANSFER Friendly_dsts TO anyone FOR [Tr ry TRANSFER” hasObjece. 
ow confidentiality illic radar data 
ShasTarget. Actor 
ShasPurpose. low.confidentility 
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‘Tansy. lesations > 


High_confidentiality 


P TRANSFER friendly data TO 
friendly fleet FOR 
high_confidentiality 


ISFER eneny data 
ly Fleet FOR 
i a E 
nd 


low_confidentiality 


R TRANSFER friendly data TO 
anyone FOR low_confidentiality 
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Reconciliation 


* Two reconciliation 
approaches identified: 
+ Redaction 
+ Generalization 
* One approach that defeats 
these measures: 
+ Merging 
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Redaction 
* Eliminate a subsumption D redacted_radar_data < 
Ps eae enemy fleet_data, terrain_data 
relationship within a 
collection. edad 


Radar 


* Permits the new (redacted) 
collection to be used for low- 
confidentiality purposes. 
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Redaction 


SPEC POLICY 
1 P COLLECT collected_radar_data FROM radar_system FOR high_confidentiality 
2. P TRANSFER enemy_data TO friendly fleet FOR low_confidentiality 


REDACT(collected_radar_data -> redacted_radar_data, friendly_data, 
low_confidentiality) 


3 P TRANSFER redacted_radar_data TO friendly fleet FOR low_confidentiality 
4 P- TRANSFER friendly_data TO friendly fleet FOR high_confidentiality 


5 _R TRANSFER friendly data TO anyone FOR low_confidentiality 
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Redacted Radar Data 


USS Zumwalt 


Low 
Confidentiality 


Terrain Data 


Fiend Fleet 
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- Some types of data can be 
fuzzified. 
+ Add noise, decrease fidelity. 


* Numerical data: 
+ Coordinates, time... 


+ All collections’ members 
must be generalized. ° 
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Merging 


* Combine redacted data with 
un-redacted to recreate 
original. 

* Combine generalized data 
with de-noised data to 
recreate original. 
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Disnnquiehind the Merging Risk 


Policy Violation Merging 

1. Collect data for high- 1. Collect data for low- 
confidentiality purpose. confidentiality purpose. 

2. Collect other data for low- + Data is subset of redacted superset. 
confidentiality purpose. 2. Collect related data for low- 


confidentiality purpose. 
Data is negation of superset and 
redacted superset. 


Repurpose high-confidentiality 
data, violate policy. 


Similarly purposed data flows may be merged. = 
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3. Merge two disjoint collections. 
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Merging Risk Mitigation 


* Can catch merging risks as a result of conflict 
analysis. 
* Check subsumed purposes. 
* Trace data flows, transfer only what data is needed. 


* Mitigates human error due to missed interpretations. 
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Recertification Triggers 


How do you know when to run the analysis? 


¢ Reconcile a conflict? Rerun, recheck. 
¢ Add anew feature? Rerun, recheck. 
* Modify the policy? Rerun, recheck. 


* Rapid analysis means recertification is rapid. 
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Does it scale? 


¢ How fast can we do analysis? Is it fast enough to let 
us rerun whenever we want? 


* Simulations; 27 repetitions, increasing number of rules 
[0-80], 1.13 conflicts per increasing rule. 


No objective basis for comparison. 
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Profile Size vs. Reasoning Time 


200 


Reasoning Time (Seconds) 


Profile Size (# Rules) 
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Profile Size vs. Detected Conflicts 


80 
4 


Detected Contlicts (## Conflicts) 


Profile Size (# Rules) 


at 
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Does it scale? 


* No statistically significant 
relationship between 
performance and number of 
conflicts. 

{r(874) = .36,p > .05} 


Average Profile 


< 
Parsing Time fp second 


Largest Profile 


Size 80 rules 


Longest Profile 
Processing Time 


400 seconds 


Average 
Conflicts per 
Statement 


1.13 
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Conclusions 


» Yes, it scales: 
+ Analysis can scale in quasilinear time. 


* Simulations show that even huge profiles can be analyzed in 
roughly 7 minutes. 


* What do we mean by huge profiles? 
+ Hundreds of data flows. 
+ Hundreds of rule combinations. 
+ Hundreds of conflicts. 
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Future Work 


* Extend automation to provide “hints” to analysts. 
* Profile development environment. 
+ Automate reconciliation strategies. 


* Characterize performance gain against manual 
processes. 
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Questions? 


* Daniel Smullen 

Graduate Research Assistant, Carnegie Mellon 
University 

dsmullen@cs.cmu.edu 


* Travis Breaux 
Assistant Professor, Carnegie Mellon University 


breaux@cs.cmu.edu inte fo 
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